Apparatus and locale-based method for thwarting deceptions and/or denial of services

ABSTRACT

Technical problems and their solution are disclosed regarding the location of mobile devices requesting services near a site from a server. Embodiments adapt and/or configure the transmitting device near the site, the mobile device communicating with the transmitting device using a short haul wireless communications protocol to deliver a token based upon a key shared with the server but invisible to the mobile device. The server can determine the proximity of the mobile device to the site to control actuation of the requested service or disable the service request, and possibly flushing the service request from the server.

TECHNICAL FIELD

Technical problems and their solution are disclosed regarding the location of mobile devices requesting services near a site from a server. Embodiments adapt and/or configure the transmitting device near the site, the mobile device communicating with the transmitting device using a short haul wireless communications protocol to deliver a token based upon a key shared with the server but invisible to the mobile device. The server can determine the proximity of the mobile device to the site to control actuation of the requested service or disable the service request, and possibly flushing the service request from the server.

BACKGROUND OF THE INVENTION

The inventors have found a new class of technical problems which is discussed in the summary of the invention.

SUMMARY OF THE INVENTION

The inventors have discovered two inter-related questionable situations, with technical problems associated with each.

-   -   First, how does a server know that a user of a mobile device is         where they, or their mobile device claim them to be?     -   Second, how does the server weed through bogus requests to find         one or more real requests to use a localized service, such as a         traffic light, an elevator, enter a building and so on?

Today, internet denial of service attacks are well known and understood regarding internet service provider systems. However, location-based denial of service attacks are not well known or understood. The inventors came across this technical form of attack by performing a simple experiment on a wireless sensor system. This is a new technical problem which can affect a wide cross section of sensor and actuator systems frequently found in cities, industrial complexes, warehouses, road way systems, and farms. This technical problem will be shown through examples of traffic lights at intersections, elevators in a high-rise building and automated requests to a valet system in a car parking facility. The example situations range from mild inconveniences to potentially life-threatening diminishment of services during an emergency, such as a real or spoofed fire in a high-rise building.

Consider a first example shown in FIG. 1A and FIG. 1B, a parade is scheduled to proceed across multiple lanes of a roadway and approaches an intersection. Suppose some bad actor wants to slow down the parade by impersonating bicyclists waiting at the intersection as shown in FIG. 1A, through the abuse of several cell phones operating traffic applications intended to recognize the cell phone users as bicyclists at the intersection. If the traffic control system cannot tell if the cell phones are actually there as revealed in FIG. 1B, the parade may be disrupted.

Consider a second example, it is an end of shift time for workers on an upper floor in a high-rise building as shown in FIG. 2A. Suppose some bad actor wants to slow or impede the workers going off-shift through the abuse of cell phones requesting elevator service between lower floors as revealed in FIG. 2B. These fake requests may slow down and impede the going-off-shift workers from leaving the high-rise building.

Consider a third example, suppose some bad actor operates a mobile device to initiate a fire alert on a lower floor while the workers on the upper floor are leaving the building at the end of their shift. This could be taken through several steps, including the impersonation of a mobile device associated with a security person for the building. These disruptive steps could have a large effect on multiple individuals and businesses in and around the building, as well as first responders and other emergency personnel. This example is not shown through the use of drawings, because the danger and damage are believed apparent to any thinking person of our time.

Consider a fourth example, in which customers of a valet parking facility can request their cars through an application on their mobile devices. Suppose a bad actor impersonates a large number of these customer mobile devices, requesting that their vehicles be made ready for their use, overwhelming the valet service mechanism's ability to recognize and service the actual customer requests. Again, this example is not shown through the use of drawings, because the danger and damage are believed apparent to any thinking person of our time.

The inventors have solved the technical problems of validating the location of mobile devices near a site where one or more service may be requested. This invention, in its various embodiments, renders the determination of which mobile device is near a site deterministic, in effect contributing to at least partial, and in many instances, complete technical solution to these and many similar problems which may inflict harm and/or inconvenience upon lawful, cooperative inhabitants of our cities, industries, highways, and farms. It encompasses implementations which make “spoofing” the location of a mobile device difficult, and in a number of situations nearly impossible.

One embodiment is implemented as apparatus including a mobile device 100, a transmitting device 200 and a server 300 as shown in FIG. 3 to FIG. 14D. The server 300 and the transmitting device 200 share a first key 600 they each independently use based upon an token generator 610. The first key 600 is invisible to any of the mobile devices 100 which may request a service 500 that is performed no more than a third distance 510 from site 200. The invention may further operate as follows:

The transmitting device 200 generates a token 220 using the first key 600 and the token generator 610 and generates a wireless message 230 including the token 220. The transmitting device may include a short-haul transmitter to send the wireless message 230. The mobile device 200 includes a short-haul receiver 140 to receive the wireless message 230 as a received wireless message 130 when, and only when, mobile device 200 is within a first distance 110 of the transmitting device 200.

The mobile device 100 responds to the received wireless message 130 by parsing the wireless message to generate the token 220 without wireless communicating to the transmitting device 200. The mobile device sends a service request to the server to perform a service at the site. The mobile device sends a message to the server including a form of the token to confirm the mobile device is no more than the first distance from the transmitting device.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1A and FIG. 1B show an example of a parade scheduled to cross an intersection, which a bad actor can delay and/or disrupt by spoofing the location of a large number of bicycles. These drawings also show the potential deleterious effects of many fake requests persisting in a server's memory, potentially causing server malfunctions;

FIG. 2A and FIG. 2B show an example of a large number of people requesting elevator service from the 50th floor of a high-rise building, which a bad actor may delay and/or disrupt by spoofing the location of a large number of other people;

FIG. 3, FIG. 4, FIG. 5, FIG. 6, FIG. 7, FIG. 8, FIG. 9, FIG. 10, FIG. 11, FIG. 12A, and FIG. 12B show some examples of the apparatus and their interactions in accord with the invention;

FIG. 13 shows a first example of the distribution of the first key of the previous drawings to the transmitting device and the server which is invisible to the mobile device;

FIG. 14A, FIG. 14B, FIG. 14C, and FIG. 14D show a second example of the distribution of the first key of the previous drawings to the transmitting device and the server which is invisible to the mobile device;

FIG. 15 shows the short haul receiver included in the mobile device and the short haul transmitter included in the transmitting device of previous drawings to be compliant with a short-haul wireless protocol;

FIG. 16A shows some examples of short-haul wireless communications protocols of FIG. 15;

FIG. 16B shows some examples of versions of the Bluetooth® of FIG. 16A;

FIG. 17 shows some examples of the mobile device implementation; and

FIG. 18 shows that the mobile device, the transmitting device, the server and/or the service actuator of previous drawings may include one or more processors engaged to implement at least part of the apparatus as disclosed and/or claimed herein.

DETAILED DESCRIPTION OF THE INVENTION

The inventors have discovered two technical problems with associated, inter-related questionable situations.

-   -   First, how does a server 300 know that a user of a mobile device         100 is where they, or their mobile device claim them to be?     -   Second, how does the server 300 weed through bogus requests to         find one or more real requests to use a localized service 500,         such as a traffic light, an elevator, enter a building and so         on?

Today, internet denial of service attacks are well known and understood regarding internet service provider systems. However, location-based denial of service attacks are not well known or understood. The inventors came across this technical form of attack by performing a simple experiment on a wireless sensor system. This is a new technical problem which can affect a wide cross section of sensor and actuator systems frequently found in cities, industrial complexes, warehouses, and road way systems, and farms. This technical problem will be shown through examples involving traffic lights at intersections, elevators in a high-rise building and automated requests to a valet system in a car parking facility. The example situations range from mild inconveniences to potentially life-threatening diminishment of services during an emergency, such as a real or spoofed fire in a high-rise building.

Consider a first example shown in FIG. 1A and FIG. 1B, a parade is scheduled to proceed across multiple lanes of a roadway and approaches an intersection. Suppose some bad actor wants to slow down the parade by impersonating bicyclists waiting at the intersection as shown in FIG. 1A, through the abuse of several cell phones 800 operating traffic applications intended to recognize the cell phone users as bicyclists at the intersection. If the traffic control system cannot tell if the cell phones 800 are actually there as revealed in FIG. 1B, the parade may be disrupted.

Consider a second example, it is an end of shift time for workers on an upper floor in a high-rise building as shown in FIG. 2A. Suppose some bad actor wants to slow or impede the workers going off-shift through the abuse of cell phones 800 requesting elevator service between lower floors as revealed in FIG. 2B. These fake requests may slow down and impede the going-off-shift workers from leaving the high-rise building. Worse yet, the fake requests could potentially flood the server 300, potentially causing it to malfunction. To avoid this further technical problem, the server 300 needs to remove the fake requests from its pending request queue(s) as shown in FIG. 2B.

Consider a third example. Suppose a bad actor operates a mobile device to initiate a fire alert on a lower floor while the workers on the upper floor are leaving the building at the end of their shift. This could include impersonation of a mobile device 100 associated with a security person for the building. These disruptive steps could have a large effect on multiple individuals and businesses in and around the building, as well as first responders and other emergency personnel. This example is not shown through the use of drawings, because the danger and damage are believed apparent to any thinking person of our time.

Consider a fourth example, in which customers of a valet parking facility can request their cars through an application on their mobile devices 100. Suppose a bad actor impersonates a large number of these customer mobile devices 100, requesting that their vehicles be made ready for their use, overwhelming the valet service mechanism's ability to recognize and service the actual customer requests. Again, this example is not shown through the drawings, because the danger and damage are apparent.

The inventors have solved the technical problems of validating the location of mobile devices 100 near a site 250 where one or more site related service 500 is requested. This invention, in its various embodiments, renders the determination of which mobile device 100 is near the site 250 deterministic, in effect contributing to at least partial, and in many instances, complete technical solution to these and many similar problems which may inflict harm and/or inconvenience upon lawful, cooperative inhabitants of our cities, industries, highways, and farms. It encompasses implementations which make “spoofing” the location of a mobile device 100 difficult, and in a number of situations nearly impossible.

FIG. 3 shows a basic schematic of one embodiment is implemented as apparatus including a mobile device 100, a transmitting device 200 at no more than a second distance 210 from a site 250 and a server 300. The server 300 and the transmitting device 200 share a first key 600 they each independently use based upon a token generator 610. The first key 600 is invisible to any of the mobile devices 100 which may request a service 500 that is performed no more than a third distance 510 from site 200. In some implementations, the token generator 610 may implement a form of a secure hash algorithm of the first key 600 to generate a token 220 shown in subsequent drawings, or alternatively, implement an encryption algorithm of the first key to generate the token 220.

FIG. 4 shows a progression from FIG. 3 wherein the transmitting device 200 generates a transmitter time estimate 260. The first key 600 and the transmitter time estimate 260 stimulate the token generator 610 to generate the token 220. The transmitter time estimate 260 also stimulates the generation of a transmitter time component 262. In some implementations, the transmitter time component 262 represents a selection of some of the bits of the transmitter time estimate 260. In some implementations, the transmitter time component 262 may be implemented as an offset from some observed time event, such as a timing synchronization message.

FIG. 5 shows a progression from FIG. 4 wherein the transmitting device 200 packages the token 220 and the transmitter time component 262 into at least part of the data payload of a wireless message 230. Note that the wireless message 230 may also include message type and/or error control components which may not be part of the data payload.

By way of example, suppose the short-haul receiver 140 of the mobile device 100 and the short-haul transmitter 240 of the transmitting device 200 are compliant with a short-haul wireless communication protocol 700 as shown in FIG. 15. Further, suppose the short-haul communications protocol 700 is a version of Bluetooth® 710 as shown in FIG. 16A, and that the version of Bluetooth® is at least Bluetooth® 4.0 712 as shown in FIG. 16B. In this example, the message type of the wireless message 230 of FIG. 5 may be an advertisement, which does not require a dialog with the mobile device 100 for its short-haul receiver 140 to receive the wireless message 230 from the short-haul transmitter 240 of the transmitting device 200.

FIG. 6 shows a progression from FIG. 5 wherein the mobile device responds to the sending of the wireless message 230 from the short-haul transmitter 240 of the transmitting device 200, which is received by the short-haul receiver 140 to generate the received message 130. The received message 130 contains a data payload including the token 220 and the transmitter time component 262.

FIG. 7 shows a progression from FIG. 6 wherein the mobile device 100 responds to the received message 130 to generate a message 150 containing a data payload including the transmitter time component 262, a service request 155 and a Message Integrity Check (MIC) 160. The MIC 160 may be generated from the token 220, the transmitter time component 262 and the service request 155.

FIG. 8 shows a progression from FIG. 7 wherein the mobile device 100 sends the message 150 to the server 300. The server 300 responds by generating the received message 350 which includes the transmitter time component 262, the server request 155 and the MIC 160. Also shown is the server 300 containing a server time estimate 360. There are several points which should be noted about this drawing:

-   -   Sending the message 150 from mobile device 100 to the server 300         may involve multiple physical transport layer traversals. For         example, suppose the mobile device 100 implements a cellular         phone 800 as shown in FIG. 17. It is quite possible that the         mobile device 100 sending the message 150 may first traverse a         wireless physical transport to a cellular base station and/or to         a wireless hot spot of some sort. Subsequently, the message 150         may traverse a wireline physical transport, such as a fiber         optic network to reach the server 300.     -   The received message 350 and the server time estimate 360 may         have no inherent time order to their generation. For example,         suppose the server 300 includes a processor 900 as shown in         FIG. 18. Further suppose the processor 900 includes at least one         computer 910. It is common for computers 910 to operate a         real-time operating system which may collect events such as the         reception of the received message 350 and the generation of the         server time estimate 360. A task and/or a task thread may be         queued for execution when both of these events are present,         which can lead to the activities in the server 300 shown in FIG.         9.

FIG. 9 shows a progression from FIG. 8, wherein the server 300 reconstructs the transmitter time estimate 260 first shown in FIG. 4. The server 300 may generate the transmitter time estimate 260 in response to the transmitter time component 262 and the server time estimate 360. There are some things to note.

-   -   The server time estimate 360 and the transmitter time estimate         may be measured in the same time units or different time units.         For example, the server time estimate 360 may be measured in         units of a micro-second whereas the transmitter time estimate         260 may be measured in units of a milli-second. Alternatively,         both may be measured in units of a milli-second.     -   While in a simplified environment, assuming the same time units,         the generation of the transmitter time estimate 260 may be a         form of adjustment of the server time estimate 360 to the         closest time compatible the transmitter time component 262. For         instance, one or more of the formats may be a form of fixed         point numbers and/or floating point numbers.

FIG. 10 shows a progression from FIG. 9 wherein the server responds to the generation of the transmitter time estimate 260 by using the transmitter time estimate 260 and the first key 600 to stimulate the token generator 610 to generate the calculated token 320.

FIG. 11 shows a progression from FIG. 10 wherein if the calculated token 320 is essentially the same as the token 220, then the received message 350's payload containing the transmitter time component 262, the Message Integrity Check (MIC) 160, the service request 155 and the calculated token 320 lead the server 300 to authenticate 352 the received message 350. The server 300 further responds by actuating 340 the server request 155, thereby stimulating the service actuator 520 to perform the service 500 near (within the third distance 510) of the site 250.

FIG. 12A shows a second progression from FIG. 10, in which the previously discussed data payload components of the received message 350 and the calculated token 320 are not essentially the same as the token 220. In this situation the server 300 does not authenticate 354 the received message 350. For example, suppose a bad actor wants to spoof lots of bicycles as in FIG. 1A, by using old tokens or fabricating fake tokens 220 in multiple mobile devices 100. The received messages will fail to authenticate 354.

FIG. 12B shows a progression of FIG. 12A wherein the server 300 responds to the received message of FIG. 12A not being authenticated 354 by generating a disable service request 340, which may include but is not limited to, removing the received message 350 and/or removing the transmitter time estimate 260 and/or removing the calculated token 320, each shown in FIG. 12A.

FIG. 13 shows a first example of distributing the first key 600 to the transmitting device 200 and the server 300 by a virtual private network 650, to which the mobile device is not a member, and therefore cannot sniff the first key 600.

FIG. 14A, FIG. 14B, FIG. 14C and FIG. 14D show an example of the Diffie Hellman key exchange to generate the first key 600 without the first key being visible on any connection to the mobile device 100. This discussion will focus on the use of numbers n and G. n is often a prime and G is a second, large prime, possibly of more than 100 bytes in length. In some other, implementations n and G are groups. While these group implementations are well understood, they are less transparent and are left to the literature of those of common skill in the art.

-   -   FIG. 14A shows the mobile device 100, the transmitting device         200 and the server 300 all connected by an insecure network,         where the mobile device 100 can sniff the communications between         the transmitting device 200 and the server 300. In this         situation, the generator G and the base n are distributed to         each of the mobile device 100, the transmitting device 200, and         the server 300. The transmitting device generates a local key a,         which is not visible on the insecure network. The server 300         generates a local key b, which is also not visible on the         insecure network. The transmitting device 200 generate the         public key n{circumflex over ( )}a, which is the large number n         raised to the power a, modulo G. x modulo G is the remainder         resulting from dividing x by G.     -   FIG. 14B shows the result of the transmitting device 200 in FIG.         14A sending the public key n{circumflex over ( )}a across the         insecure network, so that it is now available at the mobile         device 100 and the server 300. The server 300 generates the         public key n{circumflex over ( )}b, by performing n{circumflex         over ( )}b modulo G.     -   FIG. 14C shows the results of distributing the public key         n{circumflex over ( )}b to the transmitting device 200 and the         mobile device 100, which both now include the public key         n{circumflex over ( )}b.     -   FIG. 14D shows the magic of mathematics in our time. The         transmitting device generates the first key 600 by computing         (n{circumflex over ( )}b){circumflex over ( )}a modulo G, from         the received public key n{circumflex over ( )}b, because         (n{circumflex over ( )}b){circumflex over ( )}a=n{circumflex         over ( )}(b*a)=n{circumflex over ( )}(a*b). The server 300         calculates the first key 600 by computing (n{circumflex over         ( )}a){circumflex over ( )}b modulo G, from the received public         key n{circumflex over ( )}a, because (n{circumflex over         ( )}a){circumflex over ( )}b=n{circumflex over ( )}(a*b).         However, the mobile device 100 cannot generate the first key 600         without solving the discrete logarithm problem, which is very         computationally expensive, making the first key 600 invisible to         the mobile device 100.     -   This cryptographic key exchange was named after Whitfield Diffie         and Martin Hellman for their work in the late 1970's.

FIG. 15 shows the short haul receiver 140 included in the mobile device 100 and the short haul transmitter 240 included in the transmitting device 100 of previous drawings to be compliant with a short-haul wireless protocol 700.

FIG. 16A shows some examples of short-haul wireless communications protocols 700, which may include, but are not limited to Bluetooth® 710, Cellular V2X (C-V2X) 730, and Dedicated short-range communications (DSRC) 740.

Note that one or more of these short-haul wireless communications protocols may require a version number(s).

FIG. 16B shows some examples of versions of the Bluetooth® 710 which may include but are not limited to Bluetooth® 4.0 712, Bluetooth® 4.1 714, Bluetooth® 4.2 716, Bluetooth® 5.0 718, Bluetooth® 5.1 720, Bluetooth® 5.2 722 and Bluetooth® x.y 724, where x is at least 4 and y is at least 0. Note that Bluetooth® 4.0 is essentially the same as Bluetooth® 4, Bluetooth® 5.0 is essentially the same as Bluetooth® 5, and so on.

One skilled in the art will recognize that since Bluetooth® 4.0, the Bluetooth® wireless protocol has incorporated a form of message sometimes referred to as an advertisement which is broadcast by a transmitting device 200 and received by a mobile device 100 without any connection dialog between these two devices. As such, the advertisement messages can be generated as the wireless message 230 including the token 220. Parsing the wireless message 130 may involve calculating a signature, which may be used by the mobile device 100 to authenticate the token 220 generated by the transmitting device 200.

Further, communications between the mobile device 100 and the server 300 may employ an encryption mechanism and/or a second shared key to provide secure communications between the mobile device 100 and the server 300. Alternatively, rather than additional encryption, a signature may be incorporated in message 150, which may be used by the server 300 to authenticate the received message 350. In some situations, the signature may be based upon the token 220 in such a way that the token 220 itself may not be derived.

FIG. 17 shows some examples of the mobile device 100 implementing one or more of the following: a cellular phone 800, a wireless client device 810, an SMS messaging device 820, a vehicle mounted device 830 and/or a human mounted device 840. For example, a wireless client device 810 may be a tablet computer and/or a notebook computer. A vehicle mounted device 830 may be mounted on or in a covered vehicle and/or a bicycle, which may further provide Global Positioning Service (GPS) based navigation assistance. A human mounted device may be wrist mounted somewhat similar to a watch, forearm or arm mounted, possibly providing a small keypad. The human mounted device may also be worn about the neck, somewhat like a necklace.

FIG. 18 shows that the mobile device 100, the transmitting device 200, the server 300 and/or the service actuator 520 of previous drawings may include one or more processors 900 engaged to implement at least part of the apparatus as disclosed and/or claimed herein. Each processor 900 may include at least one instance of a computer 910, a Finite State Machine 920, an Inference Engine 930 and/or a Neural Network 940.

As used herein, a computer 910 includes at least one data processor and at least one instruction processor, wherein the data processor is instructed by at least one of the instruction processors.

As used herein, the Finite State Machine 920 receives at least one input signal, maintains at least one state and generates at least one output signal based upon the value of at least one of the input signals and/or at least one of the states.

As used herein, the Inferential Engine 930 includes at least one inferential rule and maintains at least one fact based upon at least one inference derived from at least one of the inference rules and factual stimulus and generates at least one output based upon the facts.

As used herein, the Neural Network 940 maintains at list of synapses, each with at least one synaptic state and a list of neural connections between the synapses. The Neural Network 940 may respond to stimulus of one or more of the synapses by transfers through the neural connections that in turn may alter the synaptic states of some of the synapses. 

What is claimed is:
 1. An apparatus, comprising: Av1) a mobile device, a transmitting device located near a site, and a server; said mobile devices includes a short-haul receiver; said transmitting device includes a short-haul transmitter; said transmitting device and said server share a first key invisible to said mobile device; Bv1) said mobile device is adapted and configured to receive a wireless message containing a token from said transmitting device located within a short range of said mobile device; Cv1) said transmitting device is adapted and configured to generate said token in said wireless message using a token generator, using said first key and using a transmitter time estimate; and said transmitting device operates said short-haul transmitter to transmit said wireless message to said mobile device to create a received message; Dv1) said mobile device is configured to respond to said received message to generate said token and said transmitter time estimate without wirelessly communicating to said transmitting device; Ev1) said mobile device generates a message including said transmitter time component, a service request and a Message Integrity Check (MIC); wherein said MIC is generated from said token, said transmitter time component, and said service request; Fv1) said server responds to said message to create a second received message including said transmitter time component, said service request, and said MIC; Gv1) said server responds to said second received message by generating said transmitter time estimate from a server time estimate and said transmitter time component; and Hv1) said server operates said token generator responds to said transmitter time estimate and said first key to generate a calculated token; Iv1) said server responds to said calculated token and said received message to authenticate that said mobile device is within a first distance of said site by activating said service request of said service at said site.
 2. The apparatus of claim 1, wherein said server disables said service request if said server did not authenticate said mobile device is within said first distance of said site.
 3. The apparatus of claim 2, wherein said server disables said service request further comprises said server removes said message and/or said service request from said server.
 4. The apparatus of claim 1, further comprising: Avc2) wherein said server authorizes said service at said site in response to said server proving said mobile device is within said first distance near said server time estimate based upon said received message; and/or Bvc2) wherein said server disables said service request in response to said server proving said mobile device is not within said first distance near said server time estimate based upon said received message.
 5. The apparatus of claim 1, wherein said mobile device implements at least one member of a first group consisting of a cellular phone, a wireless client device, a SMS messaging device, a vehicle mounted device, and a human mounted device.
 6. The apparatus of claim 1, wherein said short-haul receiver and said short-haul transmitter each implement a version of Bluetooth® at no less than version 4[dot]0.
 7. The apparatus of claim 1, wherein said short range is not more than a member of the group consisting of 10 meters (m), 50 m and 100 m; and/or wherein said second distance is not more than a member of a second group consisting of 1 m, 3 m, and 5 m.
 8. The apparatus of claim 1, said first key is shared between said server and said transmitting device using at least one of: an Virtual Private Network (VPN) connection and a Diffie Hellman key exchange to generate said first key without said first key being visible on any connection to said mobile device.
 9. The apparatus of claim 1, wherein said first distance is within said short range minus a second distance from said transmitting device and said site.
 10. An apparatus, comprising: Au1) a mobile device, a transmitting device located near a site, and a server; said transmitting device and said server share a first key invisible to said mobile device; Bu1) said mobile device adapted and configured to receive a wireless message as a received message containing a data payload at least partly generated by said first key using a short-haul wireless communication protocol from said transmitting device located within a short range of said mobile device; Cu1) said transmitting device adapted and configured to operate a token generator using said first key to at least partly generate said data payload in said wireless message; and said transmitting device adapted and configured to transmit said wireless message via said short-haul wireless communication protocol to said mobile device; Du1) said mobile device responds to said received message to generate a token and a transmitter time component from said transmitting device without wirelessly communicating to said transmitting device; Eu1) said mobile device generates and sends a message to said server including said transmitter time component, a service request and a Message Integrity Check (MIC); wherein said MIC is generated from said token, said transmitter time component, and said service request; Fu1) said server responds to said message received from said mobile device to create a second message using said first key shared with said transmitting device and said first key is invisible to said mobile device; and Gu1) said server authorizes said service request at said site if said second received message proves said mobile device is within a first distance of said site.
 11. The apparatus of claim 10, wherein said server disables said service request if said second received message proves said mobile device is not within said first distance of said site.
 12. The apparatus of claim 11, wherein said server disables said service request further comprises said server removes said message and/or said service request from said server.
 13. The apparatus of claim 10, further comprising: Auc1) wherein said server generates a server time estimate corresponding to a transmitter time estimate when said transmitting device generated said token.
 14. The apparatus of claim 13, further comprising: Auc2) wherein said server authorizes said service at said site in response to said server proving said mobile device is within said first distance near said server time estimate based upon said second received message; and/or Buc2) wherein said server disables said service request in response to said server proving said mobile device is not within said first distance near said server time estimate based upon said second received message.
 15. The apparatus of claim 10, wherein said mobile device implements at least one member of a first group consisting of a cellular phone, a wireless client device, a SMS messaging device, a vehicle mounted device and a human mounted device; and/or wherein said short-haul wireless communication protocol includes at least one version of at least one member of a protocol group consisting of Bluetooth®, Dedicated short-range communications (DSRC), and Cellular V2X (C-V2X).
 16. The apparatus of claim 15, wherein said short-haul wireless communications protocol includes said version of said Bluetooth® at not less than version 4[dot]0.
 17. The apparatus of claim 10, wherein said short range is not more than a member of the group consisting of 10 meters (m), 50 m and 100 m; and/or wherein said second distance is not more than a member of a second group consisting of 1 m, 3 m, and 5 m.
 18. The apparatus of claim 10, said first key is shared between said server and said transmitting device using at least one of: a Virtual Private Network (VPN) connection and a Diffie Hellman key exchange to generate said first key without said first key being visible on any connection to said mobile device. 